Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-9303

Install does not begin if secure boot was enabled for the first time

    XMLWordPrintable

Details

    • Important
    • 5
    • Metal Platform 236, Metal Platform 239, Metal Platform 240, Metal Platform 241, Metal Platform 242, Metal Platform 243, Metal Platform 245, Metal Platform 246
    • 8
    • Unspecified
    • Hide
      * Previously, when installing {product-title} with the `bootMode` field set to `UEFISecureBoot` on a node where the `secureBoot` field was set to `disabled`, the installation program failed to start. With this update, Ironic has been updated so that you can install {product-title} with `secureBoot` set to `enabled`. (link:https://issues.redhat.com/browse/OCPBUGS-9303[*OCPBUGS-9303*])
      Show
      * Previously, when installing {product-title} with the `bootMode` field set to `UEFISecureBoot` on a node where the `secureBoot` field was set to `disabled`, the installation program failed to start. With this update, Ironic has been updated so that you can install {product-title} with `secureBoot` set to `enabled`. (link: https://issues.redhat.com/browse/OCPBUGS-9303 [* OCPBUGS-9303 *])
    • Release Note
    • 9/13: u/s patch finalized & under review

    Description

      Description of problem:
      If secure boot is currently disabled, and user attempts to enable it via ZTP, install will not begin the first time ZTP was triggered.

      When secure boot is enabled viz ZTP, then boot options will be configured before virtual CD was attached, thus first boot will be booting into existing HD with secure boot on. Install will then get stuck because boot from CD was never triggered.

      Version-Release number of selected component (if applicable):
      4.10

      How reproducible:
      Always

      Steps to Reproduce:
      1. Secure boot is currently disabled in bios
      2. Attempt to deploy a cluster with secure boot enabled via ZTP
      3.

      Actual results:

      • spoke cluster got booted with secure boot option toggled, into existing HD
      • spoke cluster did not boot into virtual CD, thus install never started.
      • agentclusterinstall gets stuck here:
        State: insufficient
        State Info: Cluster is not ready for install

      Expected results:

      • installation started and completed successfully

      Additional info:

      Secure boot config used in ZTP siteconfig:
      http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3000/kni-qe/ztp-site-configs/src/ff814164cdcd355ed980f1edf269dbc2afbe09aa/siteconfig/master-2.yaml#L40

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19884 [4.14] Install does not begin if secure boot was enabled for the first time

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19884 [4.14] Install does not begin if secure boot was enabled for the first time

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8434 Secure boot - bmh provisioning error with secure boot enabled

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/ironic-image#403: OCPBUGS-9303: update Ironic to include secure boot fixes

          GitHub openshift/ironic-image#435: OCPBUGS-9303: include the secure boot retry

          Web Link RHSA-2023:7198 OpenShift Container Platform 4.15 security update

          Activity

            People

              rhn-engineering-dtantsur Dmitry Tantsur
              rhn-support-yliu1 Yang Liu
              Periyamaruthu Mohanraj Periyamaruthu Mohanraj
              Red Hat Employee
              Votes:
              0 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: